1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

virus/security problems

Discussion in 'Legacy Windows' started by shenanigins, 2003/06/16.

Thread Status:
Not open for further replies.
  1. 2003/06/16
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Hi, my name is Shannon and I'm not a regular on this site, but have been in and out over the last year or so. It is obvious that most users of this site are very knowledgeable so I'm hoping I can get some reliable feedback.

    My father owns a small business that is set up with a peer to peer network. I'm clueless when it comes to networking stuff, although I am fairly competent with computer stuff in general. The problem is speed and viruses. He is running Norton System Works and has updated virus definitions weekly. He receives a warning on an almost daily basis that a virus has been found and quarantined. He runs a complete scan and is "clear ", then later gets another message with another virus that has been detected and quarantined. I've gone in every week or so and tried to clean the system of these viruses. What I find is that although there are multiple files, most are infected with the same virus. After researching the viruses on Symantec I try to remove the viruses according to their directions, but so far I have not found any of the files and registry keys that are "supposed" to be there. It appears his system is clean... but then he continues to get the same messages.

    In addition to the virus notices, his system runs excrutiatingly slow. He is running 256mb ram, I believe is on a Pentium 3 with 1.4 ghz, and is running Windows 2000 Professional. He connects to the internet with SBC Yahoo DSL. His system crashes on a regular basis.

    I'm beyond frustrated... as he calls me to fix the problems and I've been unable to do anything to help him. Can you suggest what might be happening and how to fix it? PLEASE!!!

    Thanks so much...
    Shannon
     
  2. 2003/06/16
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    I sure can Shannon but I am on my way out the door for an appointment and will be gone 3-4 hrs.

    I will post details when I return.

    Sorry can't do it now but just wanted to let you know I will post this evening.

    mike
     

  3. to hide this advert.

  4. 2003/06/16
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Thanks...

    I will look forward to your response!

    ~Shannon
     
  5. 2003/06/16
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    Not to worry Shannon. Happy to help out irregulars too. :)


    "He receives a warning on an almost daily basis that a virus has been found and quarantined. He runs a complete scan and is "clear ", then later gets another message with another virus that has been detected and quarantined. "

    His AV program is doing just what it is supposed to. Virus tries to get in. Gets dealt with. Scan shows clean because there was never an infection but just a file with a viral payload trying to infect him but blocked before it could start.

    Any virus files placed in quarantine by Norton won't show on a later scan. But you might want to set his system to delete them rather than stuff them in a quarantine folder.

    For the rest, when you say his system is slow, do you just mean with internet stuff or that it runs slowly most/all of the time?

    And specifics on the crashes would be nice. Check the event logs for details.

    Meanwhile I suggest the following and in this order would be good
    - dump temporary internet files and make sure the browser isn't set to store over maybe 100Mb of the things.
    - dump the cookies just in case there is a buggy one.
    - download, update, and run Ad-aware 6.x and get rid of all it finds
    - download, update, and run Spybot and get rid of all the pre-checked items it finds. Then click the Immunize button
    - start~run~cmd and then chkdsk x: /r (where x: means do all drives/partitions)
    - start~run~sfc /scannow and reapply the latest SP after that is done.
    - defrag all partitions

    This list done on a monthly basis will tend to keep things running a bit better.

    mflynn has a slightly longer list of clean-up stuff to do but these are a good starting place.
     
    Newt,
    #4
  6. 2003/06/16
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    The system runs slow all the time, not just when browsing the web. I have dumped all the cache/cookie/history files and do that regularly. The thing that confuses me is that the viruses he keeps getting are the SAME viruses over and over. I assume it's possible he's getting these from a website he visits regularly? He doesn't open email attachments ever.

    I will check the events log and post the information here, but will probably be a day or two before I get back over there. However, today his system crashed again and when rebooted it hung on the bios screen forever, then came up with a message saying it was "beginning primary memory dump ". I've never heard of this before. My father said he just shut the computer off completely because he was worried about what it was doing. He rebooted about 30 minutes later and it loaded normally. Any clues?

    Thanks again.
     
  7. 2003/06/16
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,068
    Likes Received:
    396
    B7y any chance does he regulary use backup media like a cdrw or floppy or zip? If so, the media may be infected and writing the viri to the system every time it gets used.

    Have him note or take screenshots of the NAV window and note 'where the viruses are', eg an email folder etc. He just may be receiving infected attachments daily and the AV is doing it's job. In which case, he can set up mail rules to auto delete such attachments and give the av program arest for a change.
     
  8. 2003/06/16
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Hi Shannon

    Looks like you have plenty of help. Seems like we have decided the Virus scanner is doing it job.

    And Newt and Tony have good advice. What you need to do is find out where they are coming from. Does he get them when he has not been browsing or retrieving email. Does he know to delete unread spam messages especially those with attachments unread?

    I will give you the instructions and tools help to kick the computers into high gear. But to keep it that way you are going to have to clean the entire network.

    I will bet you that he is being reinfected by the network. You probaly have a station or more that the virus scanners has expired or is disabled or worse none at all.

    So tell us about the network. How many, what OS, cable or dsl etc. What scanners are they being updated.

    Do you know for a fact that all of them do have Virus scanners installed and working.

    I can tell you this, if you do have a network virus you will have to either.....

    a. turn off the network hub/switch so there are no connections and then clean them all one at a time before turning back on.

    b. unplug the network cable clean one and move to the next and not plug the cables back in untill all are clear.

    c. "best option" unplug all, then plug one up and clean it, then unplug it and move to the next plug it in clean. If you leave the first one that has been cleaned and plug one in that is infected then it is possible the the first will become infected again. The reason this is the best way is it will allow access to the internet for downloading Virus updates and other fixes. Hopefully you have broadband.

    Get me more info on the network as mentiond above, and let me know if you are up to this. As i don't want to write 3 or four pages if you can not do it for some reasons.

    I suspect it will average 1.5 hours per computer.

    Its no fun! But unless someone has a real magic wand it is the only way.

    Mike
     
  9. 2003/06/16
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Thanks for all the replies. I will head over to his office tomorrow morning and get all the information regarding the events logs, the network setup, etc. I'll go ahead and run the apps suggested above, too. I know for a fact that the other computers are either running no virus protection or outdated protection. This is a very "small" business with only 3 employees. The computers are networked due to the business program used and the need for all employees to have access. Two of the computers never go online at all.

    Anyway... I will post more tomorrow when I get the details.

    Thanks a million.:)
     
  10. 2003/06/16
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    BTW... all of his email activity is restricted to his web based yahoo mail. He no longer downloads his email directly to his system. I assume this would protect against the spam mail possibility listed above?

    He also doesn't use any kind of removable media or backup that would be reinfecting his system... however, I do have the system setup to run a backup of his data files onto a removable USB harddrive on a weekly basis. This data is never restored, unless the unthinkable happens to his system.
     
  11. 2003/06/17
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Ok sounds like you are going to tackle this so here are the steps.

    You have two separate things to do.

    1. Clean the Viri and install or update and ascertain that all have Virus protection and that it works.

    2. Cleanup and tweak for performance.

    Here we go!

    Here is the best free virus scanner for those that have no scanner or is outdated. If it does have an out of date virus scanner, then in add remove uninstall it. Then use search to remove the rest from the HD. Then use a registry search to find it in the registry. Are you comfortable searching the registry?

    AVG http://www.grisoft.com/

    Next the cleanup steps and tools. Note some of these do the same thing it appears but I use them because they find things the others miss. If you use them all this system will be squeaky clean.

    Use in the order presented.

    Configure CleanMgr to max settings
    Go to Start-Run and type (this is for all 95 "“ 98 2k or XP)

    cleanmgr /sageset:1
    The above need only be ran once (these settings will be remembered as the default until another sageset is ran).

    It will present a menu select all except compress, then

    Go to Start-Run and type

    cleanmgr /sagerun:1
    As long as /sageset above has been ran on this computer from now on the /sagerun is the only thing that needs to run.

    Cleanups
    These are for 95 98 only!

    Boot to DOS (not shutdown to DOS). While booting hit F8 to startup menu. Choose "command prompt only ".

    If you have an ME let me know.

    Type these commands exactly hit enter at the end (do not type the notes that are in parenthesis like this).

    del c:\*.swp (may get file not found, is ok)
    del c:\windows\*.swp
    deltree c:\windows\shelli*.*
    deltree c:\windows\temp\*.* (answer yes to all) "ALL "
    deltree c:\windows\tempor~1\*.*
    deltree c:\windows\history\*.*
    deltree c:\windows\spool\printers\*.*

    Spyware and adware removal

    SpyBot http://security.kolla.de/index.php?lang=en&page=download
    Run this twice delete all it finds, "ALWAYS" run this before AdAware.
    Leave all it wants to leave after the second run.

    Registry and System cleaners

    RegCleaner <http://www.vtoy.fi/jv16/shtml/regcleaner.shtml>
    Look in first 2 cols for programs you thought you uninstalled or removed, these are the dregs left by the uninstaller. Also tag and remove any that you are POSITIVE are not supposed to be on your computer. After removing these go to the top Tools-Registry Cleanup-Do them all. Delete all it finds.

    EasyClean1.7 <http://gswi.com/downloads.htm>
    Run only unnecessary files and registry clean delete all it finds. If you have XP or ME in the "Unnecessary Files" type the word HELP in the skip box. Do not do Duplicate files!

    RegScrubXP http://home.carolina.rr.com/lexunfreeware/RegScrubXP/RegScrubXP.htm
    NOTE: W2K and XP only
    Select RegScrub finds problems and remove all it finds.

    Online Virus scanners
    <http://www.anti-trojan.net/at.asp?l=en&t=onlinecheck>
    <http://www.bitdefender.com/scan/licence.php>
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    NSClean cleanups and exploit fixes
    <http://www.nsclean.com/freebies.html>
    <http://nsclean.com/dsostop.html>
    <http://nsclean.com/htastop.html>
    <http://nsclean.com/0click.html>
    <http://nsclean.com/socklock.html>
    <http://nsclean.com/sclean.html>


    Startup control
    <http://www.mlin.net/StartupCPL.shtml>

    This gives simple and full control of what starts at boot up. After install there will be a Startup icon in control panel. Why this over Msconfig? Msconfig only allows unchecking/disabling of items. Startup Control panel allows deleting items or moving from startup to run as a service etc.

    Do all this and al should be clean. Then if any or the 2K is still slow let us know and we will help to teak the Services.

    After all this cleaning you should run a scandisk and defrag.

    Let us know.

    Mike
     
  12. 2003/06/17
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,068
    Likes Received:
    396
    10 bucks says this is what has occurred:

    1. A virus was downloaded to the www computer via email.
    2. The virus copied itself to other computers on the network.
    3. The www computer's anti-virus cleaned the virus off of the www computer.
    4. When systems are started again, and network connections made, the viruses transfer back to the www computer from the non-www computers on the network.

    You CAN use the antivirus program to scan files on the other computers on the network. Depending upon your AV and network confings, the AV program will be able to detect viruses on the networked systems but MAY NOT be able to disinfect those other computers. If not, you can make floppy AV disks from the www system to be used on the other computers.
     
  13. 2003/06/17
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Message 7 from the top.

    Quote

    I will bet you that he is being reinfected by the network. You probaly have a station or more that the virus scanners has expired or is disabled or worse none at all.

    Unquote

    Mike
     
  14. 2003/06/17
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Okay... I've got all the "ammo" from your replies and am going to attack their system today. I'm keeping my fingers (and toes) crossed that this takes care of the problems for good!

    I'm still wondering if you have any ideas about the "primary memory dump" notice he received yesterday after he crashed? Is this something I need to be concerned about?

    I will post results sometime this evening and let you all know how it turned out. Again... thanks a million for your enthusiastic and kind replies!

    Shannon
     
  15. 2003/06/17
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Look closely at the event logs to find info on the dump.

    It could be it is consipated with temps and spy/adware.

    Or and this is the reason I included the online virus scanners. Make sure you get a second opinion.

    Better remember my advice about keeping all isolated untill clean.

    Don't forget to get us some info on the system, # of computers, operating system on the others, virus scanners. Type of internet, if broadband do you have a router or dual NIC's. If dual NIC's you should consider a router for its firewall like features. If dual NIC's then you need a software firewall.

    Mike
     
  16. 2003/06/17
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Okay... here's the info I have so far:

    Administrator Computer :
    - Pentium 4 - AT/AT Compatible
    - 1.7 GHZ
    - 384 MB RAM
    - Windows 2000 - 5.00.2195
    - Service Pack 3
    - Microsoft Network

    Slave 1:
    - Pentium 2 - Intel MMX
    - 334 MHZ
    - 64 MB RAM
    - Win 98 - 4.10.1998
    - Microsoft Network

    Slave 2:
    - AMD - Enhanced MM486x4
    - 16 MB RAM
    - Windows 95 - 4.00.950B
    - Microsoft Network

    Slave 3:
    - AMD K-6 3D
    - 24 MB RAM
    - Windows 98 - 4.10.1998
    - Microsoft Network


    I haven't figured out how to determine what kind of networking system is being used (as I mentioned before, I'm clueless with the network stuff). All the computers are connected with a blue network wire with the following info:

    - commscope network cable P/N 0590 568 cat5 e113333 4 pr/24 (UL) type cmp

    These are all plugged into a box above the administrator computer. I can't find any identifying information on the box other than the following: 8800TPC

    Then this box is connected to the administrator computer into the port on the back.

    The administrator computer is connected to the internet with a DSL Modem (yahoo/sbc). Whoever set up the network was unable to get the other computers to have access through this connection, so they connect to the internet via telephone modems and local ISPs.

    I am currently stripping/cleaning the Slave 1 computer, as this is the least needed to run the business. I will check back here to see if you have any more directions/information for me throughout the day.

    Thanks!
    Shannon
     
  17. 2003/06/17
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    If there is only a HUB(8800TPC), then it has a cable going to the computer.

    So then to confirm where does the DSL modem connect? Into the computer also so there are 2 cables to the 2K computer 1 from modem and one from hub 98800TPC)?

    The "Acting Server " is not Windows 2000 server but Win 2000 pro so the network is called "Peer to peer ".

    The only thing I can advise at this point is that after everything is cleaned. I recommend he invest in a 60.00 router, they can be had from Office Max, Office depot, Circut City. This will do three things.

    1. It will give firewall type protection from internet intrusion.
    2. It will allow all computers easy access to the high speed internet
    3. Allow cancelation of the Dialup accounts and therefore pay for itself in probably 3 months, sooner if he has two other dialup accounts.

    Since it has 4 network ports it will replace the hub you now have which is a 10mbs speed Hub with a 100mbs Switch (Switch is more effecient and faster than a Hub even at the same speed) so 9 times faster.

    Just for consideration.

    Let us know how how it is going.

    I will be out of touch after 5 pm EDT till 9:30 or 10:00 pm.

    mike
     
  18. 2003/06/17
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    . Good advice Mike but you underestimated the speed boost.

    Assuming that all network cards are 10/100:

    1. Hub max speed 10Mbps to the hub but if multiple PCs connected, they will each get a piece of the 10Mbps so with 4 PCs, potential speed as slow as 2-3Mbps per PC. Switch will run at 100Mbps and can deliver that full amount to all devices connected so all will run at 100Mbps.

    2. Hub runs half-duplex (send or receive but not both at once) while switch can run full-duplex so a potential speed doubling from duplexing.

    3. Hub has no clue who is on the network nor where they might be located. All traffic routed via the "Hey - Joe wants to speak to Fred. Anybody out there named Fred?" and every body has to pause to listen to the broadcast. Switch knows who is where and will do a "Fred, Joe wants to talk" that only Fred has to listen and respond to.

    On a small network like this I'd expect to see a gain of 10-12 times the hub speed with a switch but when things are busy it can easily go as high as 20-25 times faster.
     
  19. 2003/06/17
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    You guys are awesome!!! ;)

    After a VERY long day at the office I am almost finished cleaning ONE computer! This is one of the slaves, and the one I figured might have a virus. No viruses detected, but I did clean up lots of registry files, etc. I had some problems with the installation of the Norton software... missing DLL files, etc. Then updating all of the files took forever being on a slow dial up connection. I have run the first 2 of the online virus scans listed in Mike's instructions. I have the rest of the list to complete in the morning.

    The administrator computer is on my list for attack tomorrow, as my father will be gone for the afternoon. I will definitely talk to him tomorrow about the suggestions regarding the network connections. If I can convince him to go that direction I will need more expert guidance to get everything connected correctly, though. :D

    I've seen enough of the computer screen for today, though... so I'm signing off for the night. Will be back again in the a.m.

    Once again, thank you all so much!

    ~Shannon
     
  20. 2003/06/18
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    10-4 Newt yes I know this but was trying to be brief as this msg was getting long. Just trying to get the point it would be much much faster.

    OK Shannon

    I was off yesterday but today I am back at work and will be traveling some. So will be unavailable untill late this evening. But there is plenty of help on this BBS. And you have plenty to keep you busy.

    I would suggest that if you have access to broadband and a cdr that you d/l and burn all the Cleaners and etc so you will not have to wait for a modem.

    Mike
     
  21. 2003/06/18
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    If I can convince him to change to the router, what other cables, etc., will I need? Are the current cables to/from the slaves okay? Will I need new software? How difficult will this be to set up?

    The administrator computer has one network cable running to/from the hub and another cable running to/from the dsl modem. The dsl modem is not connected directly to the hub in any way.
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.